Thunder v0.2.0
WSO2 Thunder ⚡
The Lighting Fast Identity Management Suite
Project Thunder is a modern, identity management service by WSO2. It empowers you to design tailored login, registration, and recovery flows using a flexible identity flow designer.
Thunder secures users, applications, services, and AI agents by managing their identities and offering a complete suite of supporting capabilities.
Designed for extensibility, scalability, and seamless containerized deployment, Thunder integrates naturally with microservices and DevOps environments—serving as the core identity layer for your cloud platform.
🚀 Features
- ✅ Standards-Based
- OAuth 2/ OpenID Connect (OIDC): Client Credentials
- 🔗 Login Options: Basic Authentication, Login with GitHub, Login with Google, Login with SMS OTP
- 🌐 RESTful APIs: App Native Login, User Management, Application Management, Identity Provider Management, Notification Message Provider Management
⚡ Quickstart
Download and Run WSO2 Thunder
Follow these steps to download the latest release of WSO2 Thunder and run it locally.
Step 1: Download the distribution from the latest release
Download thunder_<os>_<arch>-<version>.zip from the latest release for your operating system and architecture.
For example, if you are using a MacOS machine with a Apple Silicon (ARM64) processor, you would download thunder_macos_arm64-<version>.zip.
Step 2: Unzip and start the product
-
Unzip the downloaded file using the following command:
unzip thunder-<os>_<arch>-<version>.zip
-
Navigate to the unzipped directory:
cd thunder-<os>_<arch>-<version>/
-
Start the product using the following command:
-
If you are using a Linux or macOS machine:
bash start.sh
-
If you are using a Windows machine:
start.bat
-
Download and Run the Sample App
To quickly get started with WSO2 Thunder, you can use the sample app provided with the product. Follow these steps to download and run the sample app.
Step 1: Download the sample app
Download thunder-sample-app-<version>.zip from the latest release.
Step 2: Unzip the sample app and install dependencies
unzip thunder-sample-app-<version>.zip
cd thunder-sample-app-<version>/
npm install(Optional) Step 3: Configure the sample app
Open the runtime.json file in the thunder-sample-app-/dist directory and update the configurations as per your setup. The default configurations should work for most cases, but you can customize the following properties:
applicationID: The ID of the application you want to use for authentication. By default, it is set to550e8400-e29b-41d4-a716-446655440000.flowEndpoint: The endpoint for the flow execution API. By default, it is set tohttps://localhost:8090/flow/execute.
Step 4: Start the sample app
npm startOpen your browser and navigate to https://localhost:3000 to see the sample app in action.
Try Out the Product
1️⃣ Create a User
Create a user in the system to tryout the authentication flows. You can use the following cURL command to create a user with the required attributes.
curl -kL -H 'Content-Type: application/json' https://localhost:8090/users \
-d '{
"organizationUnit": "456e8400-e29b-41d4-a716-446655440001",
"type": "superhuman",
"attributes": {
"username": "thor",
"password": "thor123",
"email": "thor@thunder.sky",
"firstName": "Thor",
"lastName": "Odinson",
"age": 1534,
"abilities": [
"strength",
"speed",
"healing"
],
"address": {
"city": "Asgard",
"zip": "00100"
}
}
}'2️⃣ Try Out Client Credentials Flow
curl -k -X POST https://localhost:8090/oauth2/token \
-d 'grant_type=client_credentials' \
-u 'client123:secret123'3️⃣ Try Username and Password Login
Open the sample app in your browser and enter the username and password you created in the first step. If the login is successful, you will be redirected to the home page of the sample app with the access token.
4️⃣ Try Google Login
-
Create an OAuth application in your Google account following the instructions given in the Google documentation.
- Configure the Authorized origin and Redirect URI as per your application.
- Copy the Client ID and Client Secret.
-
Update the system created Google IDP by invoking the IDP management API with the following cURL command. Make sure to replace
<client_id>,<client_secret>, and<app_callback_url>with the values you copied from your Google OAuth application.curl -kL -X PUT -H 'Content-Type: application/json' -H 'Accept: application/json' https://localhost:8090/identity-providers/550e8400-e29b-41d4-a716-446655440002 \ -d '{ "id": "550e8400-e29b-41d4-a716-446655440001", "name": "Google", "description": "Login with Google", "properties": [ { "name": "client_id", "value": "<client_id>", "is_secret": false }, { "name": "client_secret", "value": "<client_secret>", "is_secret": true }, { "name": "redirect_uri", "value": "<app_callback_url>", "is_secret": false }, { "name": "scopes", "value": "openid,email,profile", "is_secret": false } ] }'
Note: Refer Identity Provider Configuration Guide for more details on configuring identity providers.
-
Update the system default application to use the Google login template by invoking the application management API with the following cURL command.
curl -kL -X PUT -H 'Content-Type: application/json' -H 'Accept: application/json' https://localhost:8090/applications/550e8400-e29b-41d4-a716-446655440000 \ --data '{ "id": "550e8400-e29b-41d4-a716-446655440000", "name": "Test SPA", "description": "Initial testing App", "client_id": "client123", "client_secret": "***", "callback_url": [ "https://localhost:3000" ], "supported_grant_types": [ "client_credentials", "authorization_code" ], "auth_flow_graph_id": "auth_flow_config_google" }'
-
Open the sample app in your browser and click on the "Continue with Google" button. You will be redirected to the Google login page. Enter your Google credentials and authorize the application.
-
If the login is successful, you will be redirected to the home page of the sample app with the access token.
5️⃣ Try GitHub Login
-
Create an OAuth application in your Github account following the instructions given in the Github documentation.
- Configure home page and callback URLs as per your application.
- Copy the Client ID and Client Secret.
-
Update the system created github IDP by invoking the IDP management API with the following cURL command. Make sure to replace
<client_id>,<client_secret>, and<app_callback_url>with the values you copied from your GitHub OAuth application.curl -kL -X PUT -H 'Content-Type: application/json' -H 'Accept: application/json' https://localhost:8090/identity-providers/550e8400-e29b-41d4-a716-446655440001 \ -d '{ "id": "550e8400-e29b-41d4-a716-446655440001", "name": "Github", "description": "Login with Github", "properties": [ { "name": "client_id", "value": "<client_id>", "is_secret": false }, { "name": "client_secret", "value": "<client_secret>", "is_secret": true }, { "name": "redirect_uri", "value": "<app_callback_url>", "is_secret": false }, { "name": "scopes", "value": "user:email,read:user", "is_secret": false } ], }'
Note: Refer Identity Provider Configuration Guide for more details on configuring identity providers.
-
Update the system default application to use the Github login template by invoking the application management API with the following cURL command.
curl -kL -X PUT -H 'Content-Type: application/json' -H 'Accept: application/json' https://localhost:8090/applications/550e8400-e29b-41d4-a716-446655440000 \ --data '{ "id": "550e8400-e29b-41d4-a716-446655440000", "name": "Test SPA", "description": "Initial testing App", "client_id": "client123", "client_secret": "***", "callback_url": [ "https://localhost:3000" ], "supported_grant_types": [ "client_credentials", "authorization_code" ], "auth_flow_graph_id": "auth_flow_config_github" }'
-
Open the sample app in your browser and click on the "Continue with GitHub" button. You will be redirected to the GitHub login page. Enter your GitHub credentials and authorize the application.
-
If the login is successful, you will be redirected to the home page of the sample app with the access token.
6️⃣ Try SMS OTP Login
SMS One-Time Password (OTP) authentication allows users to authenticate using a one-time code sent to their mobile number. Prior to using SMS OTP, you need to configure a message provider to send SMS messages. Follow the steps below to set up SMS OTP authentication.
Step 1: Configure a Message Provider
Configure a message provider to send SMS messages. You can use services like Twilio, Vonage, or a custom service of your choice.
curl -kL -H 'Content-Type: application/json' -H 'Accept: application/json' https://localhost:8090/notification-senders/message \
-d '{
"name": "Custom SMS Sender",
"description": "Sender for sending SMS messages",
"provider": "custom",
"properties": [
{
"name": "url",
"value": "<custom_sms_provider_url>",
},
{
"name": "http_method",
"value": "POST"
},
{
"name": "content_type",
"value": "JSON"
}
]
}'Note: Refer Message Provider Configuration Guide for more details on configuring message providers.
Step 2: Update SMS OTP Flow Configuration
Update the senderName property in the auth_flow_config_sms flow definition to use your configured message sender.
Step 3: Configure Application to Use SMS OTP Flow
Update the system application to use the SMS OTP authentication flow template:
curl -kL -X PUT -H 'Content-Type: application/json' -H 'Accept: application/json' https://localhost:8090/applications/550e8400-e29b-41d4-a716-446655440000 \
--data '{
"id": "550e8400-e29b-41d4-a716-446655440000",
"name": "Test SPA",
"description": "Initial testing App",
"client_id": "client123",
"client_secret": "***",
"callback_url": [
"https://localhost:3000"
],
"supported_grant_types": [
"client_credentials",
"authorization_code"
],
"auth_flow_graph_id": "auth_flow_config_sms"
}'Step 4: Create a User with Mobile Number
Create a user with a mobileNumber attribute to receive SMS OTP:
curl -kL -H 'Content-Type: application/json' https://localhost:8090/users \
-d '{
"organizationUnit": "456e8400-e29b-41d4-a716-446655440001",
"type": "superhuman",
"attributes": {
"username": "thor",
"password": "thor123",
"email": "thor@thunder.sky",
"firstName": "Thor",
"lastName": "Odinson",
"age": 1534,
"abilities": [
"strength",
"speed",
"healing"
],
"address": {
"city": "Asgard",
"zip": "00100"
},
"mobileNumber": "+94xxxxxxxxx"
}
}'Step 5: Try Out SMS OTP Authentication
-
Initiate the authentication flow with your application ID:
curl -kL -H 'Accept: application/json' -H 'Content-Type: application/json' https://localhost:8090/flow/execute \ -d '{ "applicationId": "550e8400-e29b-41d4-a716-446655440000" }'
You'll receive a response with a flow ID and username input request.
-
Provide the username to continue the flow:
curl -kL -H 'Content-Type: application/json' https://localhost:8090/flow/execute \ -d '{ "flowId": "<flow_id>", "inputs": { "username": "thor" } }'
An OTP will be sent to the user's mobile number.
-
Complete authentication by providing the OTP:
curl -kL -H 'Content-Type: application/json' https://localhost:8090/flow/execute \ -d '{ "flowId": "<flow_id>", "inputs": { "otp": "696546" } }'
-
If the OTP is valid, you will receive a response with the auth assertion.
License
Licenses this source under the Apache License, Version 2.0 (LICENSE), You may not use this file except in compliance with the License.
(c) Copyright 2025 WSO2 LLC.